Enable x-pack without ssl on kibana and elasticsearch using helm chart

mouna_boujrad · June 22, 2019, 1:21pm

hello,

I have installed kibana and elasticsearch into K8s using helm chart.
I want to enable the x-pack to get user management and roles in the kibana dashboard, but without using the ssl and certificate configuration.

could any one provide me with the solution please.

Thank you in advance.

Christian_Dahlqvist · June 23, 2019, 10:47am

You can not use authentication and role-based access controls in Elasticsearch without configuring SSL/TLS as this would lead to credentials being sent across the network to and between nodes in clear text.

See this thread for a similar discussion.

mouna_boujrad · June 23, 2019, 10:24pm

ok then could you please tell me how to create and elasticsearch certificate using kubernetes because I don't know how to access bin/elasticsearch I have chacked this https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls.html#node-certificates

but then I can't use these commands on kubernetes , I am new in all these maybe my questios seems stupid but I really don't know how to even get a path could you please help me

Christian_Dahlqvist · June 24, 2019, 5:10am

As far as I know you typically create certificates externally and then pass them into the containers as described in the docker image documentation. There may be other ways to do it I will have to leave it to others as I am not familiar with the helm charts.

mouna_boujrad · June 24, 2019, 1:01pm

for that can I generate a certificate using openssl on kubernetes and used for elasticsearch ?

mouna_boujrad · June 24, 2019, 1:10pm

I already created one and I would like to test it but can you please tell me where can I found this path /usr/share/elasticsearch/config because I couldn't access it through the shell

wwalker · June 24, 2019, 7:33pm

Follow this tutorial to enable user auth without configuring TLS/SSL. By setting discovery.type: single-node in Elasticsearch, you are bypassing the TLS/SSL requirements

However, I strongly recommend against doing so because user credentials are sent over HTTP in plaintext.

mouna_boujrad · June 25, 2019, 12:53am

I found how to add certificate and I did it now I am getting his error
"Caused by: java.lang.reflect.InvocationTargetException",

TimV · June 25, 2019, 1:24am

Please supply the whole stack trace from the log. We cannot guess the problem from what you have provided.

mouna_boujrad · June 25, 2019, 10:27am

2019-06-25T10:20:56.882057213Z "Caused by: org.elasticsearch.ElasticsearchException: failed to initialize a TrustManagerFactory",
 I 
2019-06-25T10:20:56.882063036Z "at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:61) ~[?:?]",
 I 
2019-06-25T10:20:56.882068596Z "at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:382) ~[?:?]",
 I 
2019-06-25T10:20:56.882074256Z "at java.util.HashMap.computeIfAbsent(HashMap.java:1133) ~[?:?]",
 I 
2019-06-25T10:20:56.882079897Z "at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$2(SSLService.java:426) ~[?:?]",
 I 
2019-06-25T10:20:56.882085280Z "at java.util.HashMap.forEach(HashMap.java:1333) ~[?:?]",
 I 
2019-06-25T10:20:56.882120138Z "at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:423) ~[?:?]",
 I 
2019-06-25T10:20:56.882136977Z "at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:119) ~[?:?]",
 I 
2019-06-25T10:20:56.882143717Z "at org.elasticsearch.xpack.core.XPackPlugin.<init>(XPackPlugin.java:144) ~[?:?]",
 I 
2019-06-25T10:20:56.882149641Z "at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]",
 I 
2019-06-25T10:20:56.882155163Z "at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]",
 I 
2019-06-25T10:20:56.882168785Z "at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]",
 I 
2019-06-25T10:20:56.882175111Z "at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]",
 I 
2019-06-25T10:20:56.882181018Z "at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]",
 I 
2019-06-25T10:20:56.882228253Z "at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882234700Z "at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882240443Z "at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882246040Z "at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882251927Z "at org.elasticsearch.node.Node.<init>(Node.java:308) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882257697Z "at org.elasticsearch.node.Node.<init>(Node.java:252) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882263355Z "at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:211) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882271710Z "at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:211) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882318705Z "at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:325) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882344091Z "at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I

This is my entire log

mouna_boujrad · June 25, 2019, 10:28am

this is my configuration esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/ca.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/ca.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/ca.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/ca.p12

I used kubectl exec -it elasticsearch-master-0 -- /bin/bash to enter the container and generate certificate in the exact path /usr/share/elasticsearch/certs

TimV · June 26, 2019, 3:08am

There is definitely information missing from that log file. The exception printed there is always caused by another error.

This is almost certainly incorrect. You should never be using a CA cert+key for a keystore or truststore.

mouna_boujrad · June 26, 2019, 3:29pm

I just did what they did in the security configuration

TimV · June 27, 2019, 3:14am

I can't see anywhere in that repository where it tells you to use a CA for this. Can you point me to where you copied this from?

mouna_boujrad · June 27, 2019, 9:02am

github.com

elastic/helm-charts/blob/7.1.1/elasticsearch/examples/security/security.yml

---
clusterName: "security"
nodeGroup: "master"

roles:
  master: "true"
  ingest: "true"
  data: "true"

protocol: https

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12

This file has been truncated. show original

this is security example condiguration that they give.

TimV · June 28, 2019, 3:18am

And your example is not the same.

The help charts repo uses elastic-certificates.p12 and you are using ca.p12
I don't know what's in your ca.p12 file, but given the name, I'm guessing that it holds your CA certificate & key, in which case that is the wrong thing to do.

TimV · June 28, 2019, 3:22am

I'll repeat what I said earlier :

The error you are running into has more details than you've provide us. I don't know why your log seem to be cut-off at the point it is, but I really need to see the rest of the error message in order to be able to understand what's causing your problem.

We can solve this, but only if you provide us with the information that we need. Almost all of your replies have been 1 sentence answers, and it's just not enough information for us to help you out. If you want to work this issue out, then you need to do the work so that we can understand the details of what's going on.

mouna_boujrad · July 4, 2019, 11:24am

Sorry for the delay sir.

I understand what you said and I changed the files now I am using the correct file but I still have error :

so I used the helm chart to install elasticsearch

and then I created 2 files security.yml and Chart.yaml in which I put the configuration provided :

https://github.com/elastic/helm-charts/blob/master/elasticsearch/Chart.yaml
https://github.com/elastic/helm-charts/blob/master/elasticsearch/examples/security/security.yml

and the I executed the command :
helm upgrade --wait --timeout=600 --install --values security.yml elasticsearch ./

but I am getting this error

Release "elasticsearch" has been upgraded.
Error: no objects visited

system · August 1, 2019, 11:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.